DOCSLIB.ORG

A Study of MAC Time Update on NTFS

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Study of MAC Time Update on NTFS Who Dun It: A Study of MAC Time Update on NTFS Dae Glendowne 1, Christopher Ivancic 2, and David Dampier 3 Abstract —When gathering evidence from a system an investigator often relies on timestamps in order to construct a timeline of events that occurred on that system. These timestamps contain the modified, created, and accessed (MAC) times for a given file or directory. These MAC times, specifically the accessed time, can be changed by a variety of processes. This needs to be accounted for when analyzing digital evidence. In this paper we have performed an initial analysis of some processes that commonly take place on the Windows 7 operating systems using the NTFS file system and how they affect the MAC times of files. We discuss this analysis as well as some of the challenges faced with determining what exactly causes the updated MAC times to be stored on a physical disk. 1 Keywords - File System, NTFS, Accessed Time, MAC 1. INTRODUCTION Digital forensics deals with the recovery and interpretation of evidence from a digital crime scene. A key part of this process is event reconstruction. Event reconstruction examines the evidence to determine why is has certain characteristics. [2] The Modified, Accessed, and Created (MAC) times are significant forensic artifacts that can be leveraged by the examiner to help perform event reconstruction of a system. These timestamps tell when the file was created, when the file was last modified, and when the file was last accessed. This information, when combined with other temporal cues, can tell a story about the system itself. While each of these times is important, we consider the last accessed time to be the most interesting due to the manner in which it is updated. We believe it is important that the investigator be aware of how timestamps are updated as well as which user actions and processes in Windows 7 can cause these updates in order to draw more accurate conclusions from the evidence presented. The MAC times of a file can be updated in a variety of ways by numerous processes, user actions, or malicious tampering. Of these, the last accessed time is the most volatile. Many processes can affect it, sometimes without direct interaction or the realization of a user. As a system is being examined, actions and processes that may have affected timestamps needs to be taken into account. This paper is a product of ongoing research with the National Forensics Training Center (NFTC). The goal of the NFTC is to provide instruction to law enforcement of modern and relevant forensics technique. To continue providing education and training to the law enforcement we conduct research in techniques and tool development in digital forensics. We believe this work will aid law enforcement in more accurate event reconstruction in the Windows 7 environment. 2. RELATED WORK While timestamp analysis is not new in the area of digital forensics, there has not been significant research into just how MAC times are formed. What exactly is an access of a file and when does it occur? When are these accesses actually recorded in a file’s attributes on the NTFS file system? These are the types of questions that began this research and the ones that we attempt to answer in this paper. Chow et. al. did a study to determine a set of rules they could apply based on the observed MAC times for a file or group of files that would indicate a likely cause for those MAC times. The focus for their paper was on 1 Mississippi State University, 665 George Perry Street, Butler Hall, Mississippi State, MS 39762, [email protected] 2 Mississippi State University, 665 George Perry Street, Butler Hall, Mississippi State, MS 39762, [email protected] 3 Mississippi State University, 665 George Perry Street, Butler Hall, Mississippi State, MS 39762, [email protected] 2012 ASEE Southeast Section Conference the behavioral characteristics of MAC times in order to aid in event reconstruction. [4] This paper will focus on the why and how of MAC time updates, particularly the last accessed time value. 3. NTFS The New Technology File System (NTFS) is the default file system for all current versions of the Windows operating system (XP, Vista, Server, and 7). In NTFS, everything is a file including the file system administrative data. The primary data structure in NTFS is the Master File Table (MFT) and every file will have at least one entry in the MFT. [1] The MFT holds information about the files and directories in MFT entries. These MFT entries store attributes and an attribute is a data structure containing a specific type of information such as a file's filename or security information for that file. In Windows interactions with the NTFS file system take the form of reading and writing attributes for a given file. An example of an attribute is the $DATA attribute which is common to every file in the file system. This attribute stores the actual content of a file such as the text for this paper. [1] The $STANDARD_INFORMATION attribute contains the timestamp information for that file. It is from this attribute that Windows determines the MAC times for a file that are displayed to the user when they view the properties of a file. There is also a $FILE_NAME attribute that contains the MAC time information as it relates to the filename for a given file. [1] This attribute is used by directories to obtain information about the files that are contained within that directory. 4. WINDOWS I/O ARCHITECTURE In our efforts to better understand what causes updates to MAC times that are written to disk, we peeked into the architecture of Windows I/O system. This section contains a brief overview of that system. The I/O system in Windows consists of a group of components that manage the interactions between hardware devices and applications. At the center of the I/O system is the I/O manager. The I/O manager provides a framework with which I/O requests can be passed to device drivers from applications as well as other drivers. These requests take the form of I/O request packets (IRPs). An IRP is a data structure constructed by the I/O manager that contains all the relevant information for a given I/O operation such as the file to be accessed and the type of access desired. [5] The components that make up the I/O manager that we are interested in are the NTFS driver, volume manager, and the disk driver. These components work closely with the log file service, cache manager, and memory manager to implement efficient I/O processing. Figure 1: NTFS and Related Components 2012 ASEE Southeast Section Conference NTFS Driver, Volume Manager, Disk Driver - These three drivers work together to enable the reading and writing of files from the disk. When user applications and system processes need access to a file they will call the NTFS driver to locate it. The NTFS driver sends an IRP to a device object that represents a volume. The volume manager will then send an IRP (via the I/O manager) to the disk driver containing the volume reference. The disk manager will locate the file and the contents that are required will be loaded into memory. Log File Service - The log file service (LFS) is composed of several functions that exist inside the NTFS driver. These functions are used to record all metadata changes that occur in the file system for the purpose of recovery. Once the LFS has written the log file to disk, the cache manager will flush the actual metadata changes to disk.[5] Memory Manager - Part of the memory manager's responsibilities include mapping accessed files from disk into memory. The memory manager uses a structure called a section object, also called a file mapping object, to map virtual addresses to these opened files. The portion of the file that is mapped into memory (the view) may be utilized by an application to read or write the data for that file. Once a file is mapped into a process’s virtual address space in memory, the program can access the file view without performing extra disk I/O. If the process needs to access a portion of the file that is not mapped into memory then the memory manager uses it’s paging mechanism to load that view into memory. This is the same way the memory manager writes changes back to disk. When a process writes to a file view, the memory manager just pages the written pages back to disk. [5] Figure 2: Relationship between file on disk, file mapping object, and file view. [8] Cache Manager - The cache manager helps the memory manager and NTFS driver maintain efficiency for I/O operations. 5. TESTING METHODS Windows, for the sake of efficiency, does not immediately write attribute modifications to disk. To test this we took the approach of not just looking at the timestamps through explorer in the properties. We wanted to see actual system calls and determine what is being updated. This section describes our process for exploring how processes can affect the MAC times of a file. The first challenge in looking for updated MAC times was simply to view the MAC times for a file without altering them by that same action. We knew from previous experience that simply right clicking a file and checking the properties can cause a last accessed time update. Our primary method for checking this was to use the dir command from the command line with the dir /t:a parameter.
Load more

Recommended publications
  • Windows 10 to Stop Asking You for Feedback 2
    Table of Contents SYSTEM o Display o Advance Display Settings o Color calibration o ClearType text o Advanced sizing of text and other items o Display adapter properterties o Notification & actions o Select which icons appear on the taskbar o Turn system icons on or off o Apps & Features o Manage optional features o See optional feature history o Programs And Features o Multitasking o Tablet Mode o Battery Saver o Battery Use o Change Background App Settings o Change Battery Saver Settings o Battery Saver Settings o Power & Sleep o Additional power settings o Storage o Offline Maps o Choose default apps o Choose Defaults Apps By File Type o Choose Defaults Apps By Protocol o Set Defaults By App o About o Change product key or upgrade your edition of Windows o Read the Privacy Statement for Windows and Microsoft services o Read the Microsoft Services Agreement that applies to our services o Read the Microsoft Software License Terms o Additional Administrative Tools o Bitlocker settings o DeviceManager 1 | Page o System info DEVICES o Printers & Scanners o Devices & Printers o DeviceManager o Connected devices o Mouse And Touchpad o Additional Mouse Options o Typing o Pen o AutoPlay o Default app settings o USB Network & Internet o WiFi o WirelessNetworkConnection o Advanced options o Manage Wi-Fi Settings o Your email and accounts o Sign in with a Microsoft account instead o Add a work or school account o Change adapter options o Change Advanced Sharing Options o Network and Sharing Center o HomeGroup o Windows Firewall o Airplane mode
    [Show full text]
  • Lenovo HORIZON 2E User Guide
    Machine type: F0AS Lenovo HORIZON 2e User Guide www.lenovo.com Version 1.0 2014.06 SP40G09159 Important Safety Information Before using this manual, it is important that you read and understand all of the related safety information for this product. Refer to the Safety and Warranty Guide that you received with this product for the latest safety information. Reading and understanding this safety information reduces the risk of personal injury or product damage. The interface and functions shown in this User Guide are provided for reference only and may differ from actual product appearance. Product design and specifications may be changed without notice. Danger: Be aware of extremely hazardous or potentially lethal situations. Attention: Be aware of possible damage to programs, devices, or data. Note: Pay attention to this important information. © Copyright Lenovo 2014. All rights reserved. LIMITED AND RESTRICTED RIGHTS NOTICE: If data or software is delivered pursuant a General Services Administration “GSA” contract, use, reproduction, or disclosure is subject to restrictions set forth in Contract No. GS-35F-05925. Contents Important Safety Information Using the Computer Hardware ................................................. 1 Front view of the computer .........................................................................2 Left and right view of the computer ............................................................3 Rear view of the computer .........................................................................4 Computer
    [Show full text]
  • Windows 10 for Beginners
    Windows 10 for beginners Windows 10 is the latest version of the Windows operating system. New PCs will typically come with Windows 10 installed. If you have an older computer and would like to purchase Windows 10, it starts at $119. Find out more at: https://www.microsoft.com/en-us/windows/get- windows-10 Signing in There are two ways to sign in to your Windows 10 computer: with a local account or a Microsoft account. A local account means all of your files and settings are only accessible on the computer you log into. (Just like usual, to many of us!) A Microsoft account (Outlook, Hotmail, Live, MSN) allows you to sync your information between multiple devices, and would even let you sign into your account from a friend’s Windows 10 device. You need a Microsoft account to use features like Cortana, download from the Windows Store, and activate Find My Device. If you don’t have a Microsoft account, Windows 10 will walk you through setting one up. You can switch between a local and Microsoft account at any time. Windows 10 desktop screen Icons and shortcuts Start menu Cortana Task View Edge File Explorer Store Internet signal Sound Action Center La Crosse Public Library Windows 10 for beginners p.1 Start menu Microsoft now calls most things “apps”. Click on the Windows logo in the lower left corner to open your Start menu and see your apps. Get to your most These are called tiles. If they are used apps. If you’re animated, they’re called live tiles.
    [Show full text]
  • Windows Apps Will Help You Get the Most out of Your New PC (Digitaltrends.Com)
    Free Windows 10 Applications MARCH 21, 2019 SIR Computer & Tech Leadership Team CAT Tech Advisors (The “Experts”) Phil Goff Derek Southern Dean Steichen Barry Brown Frank May Neil Schmidt CAT Support Team Dan Green (Treasurer) Nick Bowes (Asst. Treasurer) Dick Curry (Coffee Master) Bill Phelon (Membership) Windows 10 App News Articles Several 1 st of Year Tech articles about Windows 10 Apps: Useful and Unknown Software and Tools of 2018 for Windows (ampercent.com) Top 35 free apps for Windows 10 (computerworld.com) The 20 Best Productivity Apps for Windows in 2018 (zapier.com) 2019 list: Best free software for a new Windows 10 (windowsreport.com) Our favorite Windows apps will help you get the most out of your new PC (digitaltrends.com) SIR Area 16 Computer & Technology Group “Tech Advisors” Windows Store How do you load “apps”? Windows Store Find it in your “Start” screen Or just type “Store” in the search bar Download program from web site PC Utility Apps Flipboard News aggregator Personalize to include articles of interest to you: Technology CNET Mobile Technology The DYI PC Home Automation Etc., etc. Available for PC, mobile Free (Windows Store) Also available for Mac Digital Trends Microsoft “OfficeOnline” Web based MS Office View, edit and create Office files on your browser Get many of the features of Word, Excel, Powerpoint and OneNote Somewhat similar to Google Docs Free (Windows Store) Computerworld FreeOffice Office productivity suite Similar to WORD, EXCEL, etc. Runs inside your favorite
    [Show full text]
  • Download Windows 10 Photos on Windows 8 the Best Photo Viewer for Windows 10: 8 Apps Compared
    download windows 10 photos on windows 8 The Best Photo Viewer for Windows 10: 8 Apps Compared. Windows 10 has a built-in photo viewer that you can use to view, edit, and enhance your photos. However, there are a few drawbacks with the Windows 10 Photos app, including the amount of time it takes before previewing an image. For many Windows 10 users, the slow loading of images remains a major gripe, but that can be resolved by using alternative photo viewer apps. If you’re ready to move on without the Windows Photos app, or prefer a more nimble program, check out our top picks for the best photo viewer for Windows 10. Also, be sure to check out our YouTube channel where we posted a short video going over some of the options in this article. Best Photo Viewer For Windows 10. 1. IrfanView. IrfanView is the best free photo viewer for Windows 10, with a host of image editing functions. The app is snappy, loads images fast, and has no bloatware. Besides its performance, IrfanView offers batch conversions, media file conversion, and allows you to add plugins to extend its features. Plus, IrfanView organizes your images, and allows you to zoom or switch to different images using the scroll bar. The app gives you all the perks of the earlier Windows Photo Viewer, minus the laggy mess that is the Photos app in Windows 10. IrfanView is free to use, lightweight at only 3MB in size, and is compatible with multiple media formats. 2. XnView. XnView isn’t just a photo viewing app.
    [Show full text]
  • Jump List Forensics
    Jump List Forensics Written & Researched By Chris Antonovich 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu 4/28/14 Patrick Leahy Center for Digital Investigation (LCDI) Disclaimer: This document contains information based on research that has been gathered by employee(s) of The Senator Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage resulting from use of this data. Information in this report can be downloaded and redistributed by any person or persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly annotated. Contents Introduction ............................................................................................................................................................................. 2 Background: ........................................................................................................................................................................ 2 Purpose and Scope: ............................................................................................................................................................
    [Show full text]
  • Sage 100 Upgrade Guide
    Sage 100 2021 Customer Upgrade Guide April 2021 © 2021 The Sage Group plc or its licensors. All rights reserved. Sage, Sage logos, and Sage product and service names mentioned herein are the trademarks of The Sage Group plc or its licensors. All other trademarks are the property of their respective owners. Business Objects® and the Business Objects logo, BusinessObjects®, and Crystal Reports® are trademarks or registered trademarks of Business Objects Software Ltd. in the United States and in other countries. Business Objects is an SAP company. Microsoft® and Microsoft SQL Server® are either registered trademarks or trademarks of the Microsoft Corporation in the United States and/or in other countries. The names of all other products and services are property of their respective owners. Contents Chapter 1 — Introduction 1 How to Use This Guide 1 Graphic Conventions 2 Text Conventions 2 Chapter 2 — What's New in Version 2021 3 Global Changes 3 Company Types 3 Check Number Field Expanded 4 Select Which User Identifier to Display 4 64-Bit Version of Sage 100 4 Payment Center Rebranding 5 Edge Used for Embedded Browser 5 Map Sage 100 Users to Sage ID Accounts 5 Accounts Payable 5 Form 1099-NEC Option in Form 1099 Tax Reporting 5 A/P Open Invoices Paid Today Utility 5 Accounts Receivable 6 Use Original or Current Cost When Applying Credit Memo 6 Settings Saved When Creating Form Code in A/R Invoice Printing 6 Bank Reconciliation 6 Exclude Wire Transfers from Positive Pay Export 6 Custom Office 7 Select Role When Adding UDT to UDT Maintenance
    [Show full text]
  • "Universal Document Viewer" Project Report
    "Universal Document Viewer" Project Report Submitted in partial fulfillment of the requirements for the degree of Bachelor of Engineering by Momin Muntazim Azim Anisa(12CO75) Karel Abdulla Nuruddin Zubeda(12CO76) Khan Irfan Mohd Aslam Fehmida(12CO74) Supervisor (Tabrez Khan) Department of Computer Engineering, School of Engineering and Technology Anjuman-I-Islam’s Kalsekar Technical Campus Plot No. 2 3, Sector -16, Near Thana Naka, Khanda Gaon, New Panvel, Navi Mumbai. 410206 Academic Year : 2015-2016 CERTIFICATE Department of Computer Engineering, School of Engineering and Technology, Anjuman-I-Islam’s Kalsekar Technical Campus Khanda Gaon,New Panvel, Navi Mumbai. 410206 This is to certify that the project entitled “Universal Document Viewer” is a bonafide work of “Momin Muntazim Azim Anisa” (12CO75)“Karel Adbulla Nuruddin Zubeda” (12CO76)“Khan Irfan Mohd Aslam Fehmida” (12CO74)submitted to the University of Mumbai in partial fulfillment of the requirement for the award of the degree of “Bachelor of Engineering” in Department of Computer Engineering. Name: Tabrez Khan Supervisor/Guide Prof. Tabrez Khan Dr. Abdul Razak Honnutagi Head of Department Director Project Approval for Bachelor of Engineering This project entitled Universal Document Viewer by Momin Muntazim Azim Anisa , Karel Abdulla Nuruddin Zubeda , Khan Irfan Mohd Aslam Fehmida is approved for the degree of Bachelor of Engineering in Department of Computer Engineering. Examiners 1. .............................. 2. .............................. Supervisors 1. .............................. 2. .............................. Chairman ............................. Declaration I declare that this written submission represents my ideas in my own words and where others ideas or words have been included, I have adequately cited and referenced the original sources. I also declare that I have adhered to all principles of academic honesty and integrity and have not misrepresented or fabricated or falsified any idea/data/fact/source in my submission.
    [Show full text]
  • Photos Download Settings Reset in Windows 10 How to Reset a Windows 10 PC to Factory Settings
    photos download settings reset in windows 10 How to reset a Windows 10 PC to factory settings. Although Windows 10 is a reliable system, over time, you can come across a lot of problems. You may have issues with starting up or shutting down, excessive memory usage, performance running apps, battery draining quickly, among many other issues, and when any of this happens, resetting to factory settings will come in handy. If you're stuck working at home, and you're experiencing persistent performance issues, Windows 10 ships with various recovery options to reset the system to factory settings keeping or removing your files to resolve common problems and improve peformance. There's even an option to use the original image, instead of a custom manufacturer recovery image that may contain bloatware and settings you don't need. In this Windows 10 guide, we'll walk you through three different methods to reset your computer to its factory settings without your files or erasing everything. How to factory reset Windows 10 using keep my files option. To reset Windows 10 to its factory default settings without losing your files, use these steps: Open Settings . Click on Update & Security . Click on Recovery . Under the "Reset this PC" section, click the Get started button. Source: Windows Central. Click the Keep my files option. Source: Windows Central. (Optional) Click the List of apps to be removed option. Source: Windows Central. Click the Back button. Source: Windows Central. Once you complete the steps, the device will reset to the factory settings preserving your files during the process.
    [Show full text]
  • Photo Download for Windows 10 Microsoft Photos App Download/Reinstall on Windows 10 [Minitool News] an Introduction of Microsoft Photos App
    photo download for windows 10 Microsoft Photos App Download/Reinstall on Windows 10 [MiniTool News] An introduction of Microsoft Photos app. Learn how to access Microsoft Windows Photos app, how to download and install, or reinstall Microsoft Photos app on your computer. FYI, MiniTool Software offers you free movie maker, free video editor, free video converter, free screen recorder, free video downloader, free photo and video recovery software, and more. To manage & edit photos and videos on Windows 10, you can use Windows built-in free Microsoft Photos app. This post teaches you how to open Microsoft Photos app, how to download and install Microsoft Photos app, how to uninstall and reinstall Microsoft app on your Windows 10 computer. What Is Microsoft Photos. Microsoft Photos is a photo and video editor designed by Microsoft. It was firstly introduced in Windows 8 and is also included in Windows 10. You can use this app to view, organize, edit, share your images and photos, play and edit video clips, create albums, etc. Microsoft Photos video editor lets you trim videos, change filters, text, motion, music, add 3D effects, and more. App Type: Image viewer, image organizer, video editor, video player, raster graphics editor. License: Is Microsoft Photos free? It is free to use for all users but with in-app purchase for more advanced features. Availability: Windows 10/8/8.1, Windows 10 Mobile, Xbox One. Support 64 languages. Predecessor: Windows Photo Viewer, Windows Photo Gallery, Windows Movie Maker. Here’s the walkthrough for how to download Microsoft Store app for Windows 10 or Windows 11 PC.
    [Show full text]
  • Tech Savvy Tips & Tricks
    Presents: Tech Savvy Tips & Tricks By Angie Harris Adapted from the Texas State Library’s TEAL for All Texans Student Resources Manual Tech Savvy Topics • Microsoft Office Tips • Windows OS Tips • Online Tips Goals & Objectives • Learn tricks and tips for Microsoft Office programs • Learn tips and tricks for computers that run Windows OS • Learn tips and tricks to use online Microsoft Office Customizing the Ribbon Menu . The Ribbon contains multiple tabs, each with several groups of commands. Some tabs, like "Drawing Tools" or "Table Tools", may appear only when you are working with certain items like images or tables. In addition, you can add your own customized tabs that contain your favorite commands. You can customize the Ribbon by creating your own tabs that house your desired commands. Commands are always housed within a group, and you can create as many groups as you need to keep your commands organized. In addition, you can even add commands to any of the default tabs, as long as you create a custom group within the tab. Customizing the Ribbon Menu To customize the Ribbon: 1. Right-click on one of the tabs in the Ribbon, and select Customize the Ribbon. A dialog box will appear. 2. Click New Tab at the bottom of the box. A new tab will be created with a new group inside it. 3. Make sure the new group is selected. 4. Select a command from the list on the left, then click Add. You can also drag commands directly into a group. 5. If you do not see the command you want, click on the Choose commands drop- down box, and select All Commands.
    [Show full text]
  • Download Microsoft Photos App for Windows 10 Microsoft Photos
    download microsoft photos app for windows 10 Microsoft Photos. Microsoft Photos permits you to view and edit your photos/videos, make movies, create albums, and more. This will come in handy if you uninstalled it and want it back or for reinstall purposes in the event of issues. You have a number of effective creative tools right at your fingertips like video remix for the instant creation of a video from photos or videos, crop and rotate photos, adjust lighting and color, add filters, and other effects. You can also utilize the video editor to refine your production with fine- tuned adjustments including filters, text, camera motion, music, and many others. It also allows you to add several different 3D effects like butterflies, lasers, or explosions that will appear in your video giving it a fun vibe. You can also draw on a photo or video and create an animated playback of your drawing as well as making a slideshow. Microsoft Photos is straightforward to use but full of so many features that you will be creating pro-looking media in no time. It does provide tips and tricks to help you along just in case. Microsoft Photos. Microsoft Photos permits you to view and edit your photos/videos, make movies, create albums, and more. This will come in handy if you uninstalled it and want it back or for reinstall purposes in the event of issues. You have a number of effective creative tools right at your fingertips like video remix for the instant creation of a video from photos or videos, crop and rotate photos, adjust lighting and color, add filters, and other effects.
    [Show full text]